#3506: failure to check server certificate in SMTP TLS connection
--------------------+-------------------------------------------------------
Reporter: db | Owner: mutt-dev
Type: defect | Status: new
Priority: major | Milestone:
Component: mutt | Version:
Keywords: |
--------------------+-------------------------------------------------------
Comment(by hhorak):
The proposed patch:
{{{
- if (chainidx == 0 && option (OPTSSLVERIFYHOST) != M_NO
+ if (option (OPTSSLVERIFYHOST) != M_NO
}}}
won't work very good (as you mentioned), because we check a hostname of
CA's cert, not server's cert.
I have prepared another patch, that works similar to how mutt_ssl.c does:
the chain of certificates is checked from root to peer (our server, e.g.
imap.gmail.com/imap.lolok.com). The check could be short-circuit *only* if
the server's certificate (peer) is correct.
{{{
--- mutt-1.5.21/mutt_ssl_gnutls.c.old 2011-03-23 11:46:28.760386765
+0100
+++ mutt-1.5.21/mutt_ssl_gnutls.c 2011-03-23 14:34:45.839456449
+0100
@@ -978,6 +978,7 @@ static int tls_check_certificate (CONNEC
unsigned int cert_list_size = 0;
gnutls_certificate_status certstat;
int certerr, i, preauthrc, savedcert, rc = 0;
+ int rcpeer;
if (gnutls_auth_get_type (state) != GNUTLS_CRD_CERTIFICATE)
{
@@ -1003,6 +1004,9 @@ static int tls_check_certificate (CONNEC
for (i = 0; i < cert_list_size; i++) {
rc = tls_check_preauth(&cert_list[i], certstat, conn->account.host,
i,
&certerr, &savedcert);
+ if (i == 0)
+ rcpeer = rc;
+
preauthrc += rc;
if (savedcert)
@@ -1028,7 +1032,7 @@ static int tls_check_certificate (CONNEC
dprint (1, (debugfile, "error trusting certificate %d: %d\n", i,
rc));
certstat = tls_verify_peers (state);
- if (!certstat)
+ if (!certstat && !rcpeer)
return 1;
}
}
}}}
--
Ticket URL: <http://dev.mutt.org/trac/ticket/3506#comment:8>
Mutt <http://www.mutt.org/>
The Mutt mail user agent
